Lucene search
+L

1875 matches found

attackerkb
attackerkb
added 2 days ago5 views

CVE-2026-11563

The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full...

9.6CVSS6.1AI score0.00165EPSS
Exploits0References1
nvd
nvd
added 2 days ago11 views

CVE-2026-44770

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the...

4.3CVSS0.00168EPSS
Exploits0References2
nvd
nvd
added 2 days ago5 views

CVE-2026-44771

SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of...

4.3CVSS0.00172EPSS
Exploits0References2
euvd
euvd
added 2 days ago7 views

EUVD-2026-43594

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the...

4.3CVSS6.1AI score0.00168EPSS
Exploits0References2
cve
cve
added 5 days ago18 views

CVE-2026-12994

Technical details are not publicly available in the provided documents. The description summarizes the vulnerability but lacks concrete affected versions, components, and remediation specifics beyond general impact. Monitor for updates.

5.3CVSS6.2AI score0.00361EPSS
Exploits0References12
cve
cve
added 5 days ago10 views

CVE-2026-13353

CVE-2026-13353 affects the WP Ultimate CSV Importer (WordPress plugin) up to version 8.0.1. The root cause is missing capability checks on AJAX handlers (install_addon, saveMappedFields, StartImport) and exposure of the plugin nonce to any authenticated admin page, which enables a Subscriber+ to ...

8.8CVSS6.3AI score0.00606EPSS
Exploits0References6
nvd
nvd
added 6 days ago6 views

CVE-2026-6802

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdccustominit function, which processes the 'eufdc-delete' parameter without any nonce verification,...

5.3CVSS0.00243EPSS
Exploits0References8
nessus
nessus
added 2026/07/09 12:0 a.m.5 views

GitLab 18.9 < 18.11.7 / 19.0 < 19.0.4 / 19.1 < 19.1.2 (CVE-2026-8472)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticate...

4.3CVSS6.2AI score0.00243EPSS
Exploits0References5
nvd
nvd
added 2026/07/08 9:16 p.m.8 views

CVE-2026-8472

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...

4.3CVSS0.00243EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.6 views

PT-2026-56621

Name of the Vulnerable Software and Affected Versions CAXperts UPVWebServices versions 2.4.2212.603 through 2.7.6 UDiTH Portal versions 2026.0.0 through 2026.2.0 Description An authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References5
cert
cert
added 2026/07/08 12:0 a.m.5 views

Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls

Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This...

7.5CVSS5.9AI score0.00303EPSS
Exploits0
cvelist
cvelist
added 2026/07/06 10:30 p.m.34 views

CVE-2026-53640 FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...

2.3CVSS0.00226EPSS
Exploits0References1
osv
osv
added 2026/07/06 10:30 p.m.5 views

CVE-2026-53640 FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...

2.3CVSS6AI score0.00226EPSS
Exploits0References3
nvd
nvd
added 2026/07/06 10:16 p.m.9 views

CVE-2026-34167

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS0.00199EPSS
Exploits0References4
nuclei
nuclei
added 2026/06/26 6:13 p.m.77 views

Apache OFBiz - Remote Code Execution

Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server id: CVE-2024-45507 info: name: Apache OFBiz -...

9.8CVSS8.3AI score0.93243EPSS
Exploits0References6
euvd
euvd
added 2026/06/26 3:58 p.m.6 views

EUVD-2026-39795

Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to missing authorization checks in UserApiController::saveAction. Attackers can...

8.8CVSS6.2AI score0.00479EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/26 3:58 p.m.7 views

CVE-2026-57518

Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to missing authorization checks in UserApiController::saveAction. Attackers can...

8.8CVSS6.2AI score0.00479EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/06/25 4:1 p.m.7 views

CVE-2026-9800

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...

8.1CVSS5.7AI score0.00301EPSS
Exploits0References3
euvd
euvd
added 2026/06/25 9:31 a.m.10 views

EUVD-2026-39186

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records...

6.5CVSS5.8AI score0.00164EPSS
Exploits0References2
nvd
nvd
added 2026/06/25 5:16 a.m.9 views

CVE-2026-5952

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite...

4.3CVSS0.00195EPSS
Exploits0References3
Rows per page
Query Builder